Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/08/2024, 01:21

General

  • Target

    daa3f3ff735da217e65b4b372abea33a2c11796a4432b67852957fd9dfdb35ad.msi

  • Size

    4.6MB

  • MD5

    b579209ffd24ed37bc4c4aa95dbd027e

  • SHA1

    cc5643c0dca29e91c8f7fcbd1e2784601c06caea

  • SHA256

    daa3f3ff735da217e65b4b372abea33a2c11796a4432b67852957fd9dfdb35ad

  • SHA512

    d052a5fccb4e630e2d444aa74fbc7722e2bf553f1bff0f7f98078a9b9e0c5cd862006d36213ebecb7dc2834c3fd4a4af89af6d061df632894a948b912e429db1

  • SSDEEP

    98304:xEqANPKab52vFRkfwWc+u6M7ucTRDLKu7t58MUYrrpuP9tCFB7FS:WPKpkfwWlu66PRDLb58MnrrOt

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Loads dropped DLL 2 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\daa3f3ff735da217e65b4b372abea33a2c11796a4432b67852957fd9dfdb35ad.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2072
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3216
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 4FBE310B588DD553803DED0E09687CC8 C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:5100

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MSI9441.tmp

    Filesize

    571KB

    MD5

    74e478e182e05b8e0e721e1b6a61f876

    SHA1

    afe914643ac1763c1fc7fa6b8fd75577c6dc3f58

    SHA256

    29d8078ec5fbd57c156008bfcceceb277805d375c80a3a5e8355bd4484e3632d

    SHA512

    73fbc3c58b5fa03504b7080540198b3d3f6dbfdb49b73848b2d599bbc821b763a118649f2ac7216fefcc98dad4dc4fc77b9a7ff3d862ea4b7536bf03377fba7f